Struts2 was exposed high-risk vulnerability, NGAF will protect you !
Struts2 was exposed high risk vulnerability s2-032, CVE-2016-3081, attackers could execute arbitrary remote commands through this vulnerability.The financial industry has become the hardest hit by this vulnerability for the moment，other web site which uses Struts2 open source framework should do the security work in time.
Struts2 is one of the most widely used web Java server framework in the world. Struts2 is the next generation of Struts products, which is a combination of the new Struts2 framework based on Struts1 and WebWork technology.
Struts2 official released s2-032 vulnerability notification which is S2-032 Remote Code Execution Vulnerability in April 20th, the vulnerability can be said to be the greatest impact Struts2 vulnerability ofter the S2-016 vulnerability. The exploit of the S2-032 caused a great disturbance after it is exposured on the Internet.
Struts2 project team released official public note about the S2-032 vulnerability on April 20th:
The Struts2 framework has been exposed a lot of RCE(Remote Code Execution) vulnerabilities since S2-016. But those vulnerabilities were hard to exploit, thus people rarely pay attention to them. Until April 25th's afternoon, something changed the condition that menmen519 at zone of Wooyun released a PoC of this vulnerability which caused an earthquake on the Internet.
As the POC shows, attacker could write webshell by exploiting this vulnerability. Finally, people pay more attention to this high-risk,easy-exploiting vulnerability. A few hours later, command-line testing tools, batch testing tools, GUI testing tools and on-line testing tools were released rapidly by security researchers. And hundreds of vulnerable websites were posted to Wooyun and Butian vulnerability platform by lot of white-hat hackers. As Wooyun's official announcement shows, this vulnerability brings great impact on not only financial industry, but also other industries such as government, securities industry and insurance industry.
Sangfor Furher-Eye Security Research Lab has tested more than 300 websites that uses Struts2 framework, we fund that about 5% websites are vulnerable by this vulnerability. Although there's limitation to this vulnerability's exploiting, and the vulnerable rate of websites is less than S2-016, the full amount of websites that use Struts2 is enormouse, thus the full amount of vulnerable websites is still substantial. As a result, this vulnerability will leave an indelible mark on network security industry this year.
Impacted version: Struts 2.3.20 - Struts 2.3.28 (not include 184.108.40.206 and 220.127.116.11)
The vulnerability exploit is simple, rough, and even packets can be write a webshell, which cause the server is fully occupied. The main damage of vulnerability:
1. An attacker can get Web site, web server, database, system and other information remotely of the target site .
2. An attacker can execute arbitrary remote commands.
3. An attacker can upload webshell remotely, and leave a back door in the target site.
4. Through this vulnerability, an attacker can further expand the scope of the invasion and obtain a higher authority.
The detail and solution of this vulnerability:Struts2 Remote Code Execution vulnerability
1. Disable dynamic method invocation：
Modify the config file of Struts2, set "struts.enable.DynamicMethodInvocation" value to false
2. Upgrade the Struts version to 18.104.22.168, 22.214.171.124, or 126.96.36.199
3. The users of NGAF can upgrade IPS to the latest version to defense the Struts2 S2-032 vulnerability